Site Philosophy

This site operates as an independent editorial operation. Advertising, sponsorships, and other non-editorial materials represent the opinions and messages of their respective origins, and not of the site operator. Part of the FM Tech advertising network.

January 10, 2008

Security Expert Leaves His Own Wi-Fi Network Wide Open

Schneier on leaving his Wi-Fi network open: Bruce Schneier is a security savant, and I usually admire his writing. In this case, he wrote something quite stupid for Wired. He explains that he leaves his Wi-Fi at home unsecured and wide open. He walks through technical and legal and practical reasons why closing the network isn't of interest to him. But he only mentions the most important bit in passing: ". If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."

Right.

And how, Mr Security Guru, might I do that? Readers taking his advice without knowing that he's set up encryption for his computer's data across the open network--which is what I assume he's done--would be exposing themselves to risk. He's also wrong about risk profiles. The risk profile at a Wi-Fi hotspot is smaller because of the time dimension (how long someone might attack your computer) and the population dimension (how many people might attack your computer over time).

I don't advise opening your home network because securing your desktop computers and even laptops is so much of a hassle most of the time, that simply disabling local network access--over which more attacks can be launched because many firewalls consider the local network a trusted network and lower their defenses--is the lowest-hanging fruit for average users' protection.

Also, Schneier's discussion with "several lawyers" led to his summary that if someone misused your network, you might wind up plea bargaining over child porn suits or paying the RIAA thousands of dollars to settle, even if you're not at fault. But his conclusion: "I remain unconvinced of this threat, though." I do not.

Finally, Schneier dismisses concerns over ISPs who don't allow their networks to be shared. (Note that although he mentions Fon, he doesn't note their Roadrunner cable deal, which provides their private/public router service to a much larger potential audience with legal sharing ability.) Schneier writes, "But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn't a big risk either. The worst that will happen to you is that you'll have to find a new ISP." He is unaware of the near-monopoly in many parts of the US, even in cities where a duopoly exists. In many cases, a cable firm that drops you can't be replaced by any other broadband provider.

Open networks constructed properly with good security are a great addition to the arsenal of access. Implicitly advising everyone to open their APs--not so good.

4 Comments

I read this article as well and still asking why would someone who's a CTO of a company that provides network security solutions to businesses suggest no security for home users.

It's kinda like saying that because you have a gaurd dog at home, it's okay to leave your door unlocked when you go on vacation.

Also, sending spam is not always intentional. There are viruses that will attempt to use your network as a relay for sending spam. So his suggestion is now part of the spam problem.

He's also obviously never had a phone call from an ISP who just got a phone call from the Department of Defense because someone using your network just tried to hack into a government computer and you then have to provide a security plan to make sure it doesn't happen again.

Throughout the entire article, he doesn't provide any measures to keep your computer secure.

But wait, he is a CTO of a company that provides security solutions. So when that small coffee shop gets hacked from the open wireless network that they also use for their backoffice computers that processes credit cards, they could always give him a call.

After all this time, this is still such a mess. I really want to live in a world where there's free, unsecured Wifi pretty much everywhere. But I also want to see a world where PCs are secure by default; Where everyone uses SSL/TLS for all their email; where it's easy to share your internet connection in a controlled way rather than just either/or, wide open/closed.

In the mean time, long live the Default Linksys/Belkin/Netgear/Dlink community network.

I like sharing but would never do it by leaving my WiFi open. That's why we recommend Whisher (http://www.whisher.com).

[Editor's note: I don't often publish comments that include a company pitch, but Ferran is completely accurate: Whisher provides an effective way to offer openness and security among colleagues and friends with a low bar for set up.--gf]

I note that Schneier does not say "No one should have a closed wireless network." in the article. He says he leaves his network open. He goes through the commonly used reasons against doing this and explains why he isn't worried about them. He says he appreciates when others leave their networks open.

Yes, people could read in to this that if Schneier leaves his network open, they should leave their networks open. And I'm sure some people might do exactly that, but that's not what the article says, nor what Schneier says. He says why he does it, why he doesn't worry about doing it, and why he appreciates others who choose to do the same.

Security is always a trade-off of risk and useability. Schniere has chosen to rate the useability of *his* network as more important than the security of that network, and most probably offsets that risk by instead securing his desktops and servers. The risk of abuse is very low, and for someone who understands security and how to deal with it, the choice is a reasonable one. I also leave my network open, but monitor it and keep my local systems secured as well as possible. My time working in computer security has convinced me for my own personal network and computers, this is a valid choice. For others, that might not be valid.

Finally, I'd like to point out that any computer that is connected to the internet needs to have security issues dealt with anyway. If someone is taking steps to protect a computer for internet use, it is almost protected as well as it needs to be for use on an open network. Why not finish the work and just focus on the computer instead of the computer *AND* the network? It's not like wireless network security is that good or reliable anyway, so limit your focus on one aspect of security, rather than two.